Path: csiph.com!news.mixmin.net!news.neodome.net!.POSTED!not-for-mail From: anonymous Newsgroups: alt.privacy, alt.os.linux, comp.security.misc, comp.os.linux.security, comp.sys.mips, alt.comp.networking.routers, comp.os.linux.advocacy Subject: A look at home routers, and a surprising bug in Linux/MIPS Followup-To: alt.privacy, alt.os.linux, comp.sys.mips, alt.comp.networking.routers Date: Sun, 6 Jan 2019 02:52:30 +0000 (UTC) Organization: Neodome Message-ID: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Date: Sun, 6 Jan 2019 02:52:30 +0000 (UTC) Injection-Info: neodome.net; posting-account="BiIwhWR5jDiLOKe5GBJn5NohKGdvitPU70y8HpEmKtoXc3ylNGUTHWwwqC fH/ypT3Iuz3VdtVzEmIfd6uUqpSmktxvcoRCYVOlJo2ruJatVcq+Ug3e0lGCO++ddxGYS6oo3JP R4UO9c+9Cs5FO2VgdQ+mFGRv18oag3N1RJKUiNPLZgUSlhI3cEg2adBt52NFoLLLasdmZgxqNz0 WZrq8pSG2Wapbp00bjVfHPwYLhrMBoYSDeLaMFH7delwTyOTFSNmCPcFmBCEN7u2OyF8pvzxCiv 9Yk5B85k/DxJRBS8M06P/BV9lfHSFYgG+487r0ccxFx3JmQR1N0c1d+EuXA=="; posting-host="BZDJgD09h3b5fGPz3Rrf9K1u7Y5VR7rzCkt170hfkILsexAbPcNu06mnEa6VW r3B7fj68JqOiwogypROB6CVkrlIOdPNH4Rya5cD0CFkAPTUgKWJqrR1LAqhBSCpP+8k+4fUZvNj 6XrbARXmzyaKbn4alLbpR6usnImolE5FinT7Q2rx50TO8Td0UKA1bwdaEyx6VBQWXvUPvDkSHoA BjI3QV1aH5pJVpmuqXgq6wch2M6Vaj3H4Qb9V69ktKEpY8yToAy91nhaYzMr2pRTSeJyEGTttb3 wIHfJxFXfwfk0IbyWF6EWzTUFsX4kp6ESbqULpEAiRmuZilD1cMPTcNw=="; logging-data="16980"; mail-complaints-to="abuse@neodome.net" Xref: csiph.com alt.privacy:22926 alt.os.linux:52455 comp.security.misc:1390 comp.os.linux.security:739 comp.sys.mips:15 alt.comp.networking.routers:2171 comp.os.linux.advocacy:483013 Today we're pleased to announce the release of two papers: Build Safety of Software in 28 Popular Home Routers, by Parker Thompson and Sarah Zatko Linux MIPS - A soft target: past, present, and future, by Parker Thompson and Mudge Zatko In the first paper, we analyze the firmware images of 28 popular home routers, checking for basic code hygiene and software safety features. What we found was disappointing: none of the routers made consistent use of basic software safety features like ASLR, stack guards, and DEP - features which have been standard in desktop environments for over 15 years. Given the role these devices play in consumers' homes, and the ease with which these issues could be resolved, we believe the absence of these features is reckless and negligent. We strongly urge vendors to review their software build practices and adopt practices which ensure these basic security features are present prior to product release. But that's not all. In the second paper, we describe an unfortunate bug in the Linux/MIPS architecture which we encountered in the course of our reporting on routers. This bug, whose origins date back to 2001, prevents most Linux/MIPS binaries from enjoying the full protections of DEP and ASLR. Given the popularity of Linux/MIPS in embedded devices (such as IoT, consumer and enterprise network equipment, etc), and the enormous diversity of threat models for such devices, we believe this bug represents a significant risk to a large segment of Internet-connected devices. Source: